United States: Regulations Implementing The California Privacy Rights Act Take Effect

On March 30, 2023, the California Office of Administrative Law ("OAL") approved final regulations implementing most of the amendments to the California Consumer Privacy Act ("CCPA") that were enacted pursuant to the California Privacy Rights Act ("CPRA"). The new rules ("CPRA Rules") clarify and expand upon key statutory provisions, such as businesses' obligations when processing "sensitive" personal information, prohibitions on the use of "dark patterns," consumer rights requests, sharing personal information for purposes of cross-context behavioral advertising, global privacy controls, and the audit and enforcement authority of the California Privacy Protection Agency (the "Agency"). Included in the CPRA Rules are factual examples to aid businesses in understanding how to apply the various provisions of the CCPA.

The CPRA Rules became effective immediately upon OAL approval. And although enforcement will not commence until July 1, 2023, the California Chamber of Commerce ("CCC") recently sued the Agency, its board members, and California Attorney General Rob Bonta to officially delay enforcement for one year. In its complaint (filed the same day the OAL approved the CPRA Rules), the CCC alleges that the planned July 1, 2023 enforcement date has left "businesses scrambling to manage complex new requirements across their systems and products for rules that are not yet finalized."¹

Given the relatively lengthy period during which proposed versions of the CPRA Rules were available to the public, and the broad discretion granted to the Agency under the CPRA, an order delaying the CPRA Rules' effective date may be unlikely. Attention to near-term compliance with the CPRA Rules, including but not limited to the provisions discussed below, is therefore advisable for all entities regulated under the CCPA.

Key Provisions in the CPRA Rules

Restrictions on the Collection and Processing of Personal Information

The CPRA Rules outline the factors that businesses should consider when evaluating whether a business' collection, use, retention, and/or sharing of a consumer's personal information is "reasonably necessary and proportionate" to achieve the purpose(s) for collection or processing, and consistent with the "reasonable expectations of the consumer(s)" whose personal information is collected or processed and therefore lawful under the CCPA. In short, the CPRA Rules basically incorporate data minimization and privacy impact assessment requirements into the CCPA.

Whether a business' collection, use, retention, and/or sharing of a consumer's personal information is "reasonably necessary and proportionate" to achieve a particular purpose depends on (1) the minimum personal information necessary to achieve the purpose, (2) the possible negative impacts on consumers posed by the business' collection or processing of personal information, and (3) the existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers considered in subsection (2).

The "reasonable expectations of the consumer(s)" must be based on numerous factors, such as the relationship between the consumer and the business and the specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer's personal information. For example, it would likely be considered reasonable for an online retailer to collect a consumer's mailing address and disclose it to a shipping vendor to complete a purchase of goods.

Companies should, therefore, ensure that they have processes in place to conduct (and document) the above-referenced processes. Companies that already engage in privacy by design and in conducting impact assessments should be able to merely tweak these processes to comply. Those that do not may have to implement new processes.

Privacy Policy Requirements and Single Notice at Collection

The CPRA Rules prescribe several new privacy policy content requirements. Important to some of these requirements is the special definition of "sharing" under the CCPA, a term that was added by the CPRA. Despite its commonly understood meaning, "sharing" is not synonymous with "disclosing" for CCPA purposes. Rather, "sharing" specifically means disclosing to a third party for cross-context behavioral (i.e., targeted) advertising.² As prescribed in the CPRA Rules, a business' privacy policy must identify the categories of third parties to whom personal information was sold, shared, or disclosed for each category of personal information that the business has sold, shared, or disclosed to third parties in the preceding 12 months. The privacy policy must also contain statements regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age and whether the business uses or discloses "sensitive" personal information in a manner other than those permissible purposes enumerated in the CCPA.

In instances where more than one business controls the collection of consumer's personal information, the CPRA Rules permit businesses and third parties to provide a single notice at collection that includes the required information about their collective information practices. The CPRA Rules also provide that where a business, acting as a third party, controls the collection of personal information on another business' physical premises (e.g., a retail store or vehicle), that business must provide a notice at collection in a conspicuous manner at such physical location.

Companies will likely need to update their privacy notices to comply with the CPRA Rules and may need to implement notices at collection in some circumstances.

Prohibition on Dark Patterns

The CPRA Rules prohibit businesses from seeking to manipulate individuals to share their personal data through the use of "dark patterns." The CPRA Regulations contain several illustrative examples of dark patterns, such as requiring consumers to click through disruptive screens before being able to submit a request to opt-out of sale/sharing, and "bundling" choices so that the consumer is only offered the option to consent to using personal information for certain purposes. Avoiding any such types of dark patterns requires the use of methods that: (1) provide consumers with symmetry in choice between opting out an opting in; (2) do not impair or interfere with the consumer's ability to make a choice; and (3) do not "add unnecessary burden or friction to the process by which the consumer submits a CCPA request." Requiring a consumer to answer "Are you sure?" or a similar question after the consumer has indicated a choice to opt out of a certain use or disclosure of personal information is a clear example of what the Agency would consider a prohibited "dark pattern."

Therefore, companies should ensure that their processes do not present any unnecessary difficulties in consumers exercising their rights.

Contracts with Service Providers, Contractors, and Third Parties

The CPRA Rules make explicit that, in order to meet the definition of a "service provider" or "contractor," a person or entity may not agree to provide "cross-context behavioral advertising" services to a business. Thus, a business may only enter into contracts that involve sharing personal information for cross-context behavioral advertising with a "third party" (which by definition is neither a "service provider" nor a "contractor"). A business must provide consumers with more detailed information about disclosures of their personal information to "third parties" than disclosures to "service providers" or "contractors" and disclosures to "third parties" are subject to additional obligations, such as providing opt-out mechanisms and responding to opt-out requests.

The CPRA Rules also elaborate on and expand the contract requirements for (1) service providers and contractors and (2) third parties. For example, contracts with service providers and contractors must prohibit the service provider or contractor from combining or updating personal information collected under a contract with personal information that it received from another source or collected from its own interaction with the consumer. And when a business sells or "shares" a consumer's personal information with a third party, the business must bind the third party to an agreement that sets forth the limited and specific purposes for which the personal information is being made available to the third party.

These contractual requirements are not to be fulfilled solely by execution of a written instrument: under the CPRA Rules, a business' failure to enforce these requirements on their service providers, contractors, and third parties by, e.g., never enforcing the terms of its contracts or exercising its audit rights, may preclude that business from relying on a defense to a CCPA violation claim that it did not have reason to believe that any personal information would be misused.

Again, companies may need to update current and template contract language. We believe at this point, a global data protection agreement, with slight revisions for some jurisdictions, can be easily completed for vendors and other third-party service providers that meet these new requirements (and align with requirements under other state laws as well as laws outside of the United States).

Right to Opt-out of Sale/Sharing and Limit the Use of Sensitive Personal Information

The CPRA Rules outline technical specifications for the "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links that must be displayed to consumers when the business engages in such practices. For example, the CPRA Rules specify that both links must be located at either the header or footer of the business' internet homepage(s).

A business is not required under the CPRA Rules to provide a Notice of Right to Limit or a "Limit the Use of My Sensitive Personal Information" link if it (1) only uses and discloses sensitive personal information collected about the consumer for certain permissible purposes (e.g., the performance of services or provision of goods reasonably expected by an average consumer who requests those goods or services) and states so in its privacy policy, or (2) only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer, and states so in its privacy policy.

The CPRA Rules also make clear that a notification or tool regarding cookies, such as a cookie banner or cookie controls, is not an acceptable method for submitting requests for the opt-out of sale/sharing because "cookies concern the collection of personal information and not the sale/sharing of personal information."

Consumers' Right to Correct; Opt-out Preference Signals

The CPRA Rules implement the CPRA-added right of consumers to have their personal information corrected by, among other things, specifying the factors businesses must consider when determining whether to grant a consumer's request for correction: the nature of the personal information and the source from which it was obtained, as well as all documentation relating to the accuracy of the information provided by the consumer or other sources. Businesses must also adhere to a number of other obligations when responding to requests to correct, such as implementing reasonable security procedures and practices to protect the confidentiality of documentation relating to the consumer's request to correct.

The CPRA Rules also require, for businesses that sell or share (as defined by the CCPA) personal information, recognition of "opt-out preference signals," i.e., browser- or app-based settings that are intended to "to provide consumers with a simple and easy- to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing." The CPRA Rules set forth detailed technical requirements for these signals, how businesses must treat signals across devices, and the impact of prior or subsequent opting in. This could be a significant technical lift for many companies who do not currently recognize such signals.

Enforcement and Audits

The CPRA Rules outline how the Agency should perform investigations and hearings and issue enforcement actions against businesses. They also detail the procedural and substantive requirements for filing a complaint with the Agency's Enforcement Division. Under the CPRA Rules, the Agency not only may audit a business, but also may audit any service provider or contractor of a business – or indeed any other person -- to investigate compliance with the CCPA. Audits may be conducted for possible violations of the CCPA or to determine if certain processing of personal information presents significant risk to consumer's privacy or security, particularly if the subject of the audit has a history of noncompliance with the CCPA or any other privacy protection law.

Looking Ahead

The CPRA Rules should prompt businesses to review their privacy policies and procedures as well as contract templates with service providers, contractors, and third parties to determine if updates are needed. In doing so, businesses subject to one or more of the other broadly applicable state privacy regimes can seek to harmonize their CCPA-compliance policies and practices with actions taken to comply with the other state law requirements, such as the regulations recently issued pursuant to the Colorado Privacy Act. In the near future, companies will also need to grapple with the Agency's anticipated regulations regarding cybersecurity audits, risk assessments, and automated decision-making.

Organizations that have questions regarding their obligations under the CCPA may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm's Privacy, Cybersecurity and Data Strategy team would be pleased to assist with any questions about privacy compliance and enforcement more broadly.

Footnotes